I had a large Net limit rule in firewall, ive deleted it, but i wasnt using it for anything Thank you for your time steve

It doesn't matter if you changed your mind after switching to it, the changes were set at that point. If you change it back to stable, you'll have to at least manually reinstall pkg, which is probably what you already did by following that link.

@inagan Well if you're accessing via your browser, it could be your browser.

I just pushed a fix for that syntax error, new versions of the package should be available shortly.

I found the Problem: At the proxmox hosting platform, there was an option, to pass the traffic through the Host firewall (what was disabled). Therefore - pfsense has done everything right. After disabling this flag everything works like expected. THX for your support!!! Bfo

Hmm, OK well you need more RAM or less stuff using it. You can certainly tune Snort and Squid to use less. There are a number of threads about both. Steve

unbound-checkconf is grabbing a big chunk of memory. It should exit before starting unbound. When did you reboot last ? What's the size of unbound.conf. Did you inspect System and Resolver log ? PfblockerNG.log ? If you stop unbound, is the unbound-checkconf process still present.

IPSec is generally faster so if you have Gigabit at both sites you will be able to use more of it with IPSec. You can use either though. https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-shared-key.html https://docs.netgate.com/pfsense/en/latest/book/ipsec/site-to-site.html Steve

It's been while since I tried it but I think you had to deploy it as a profile to OSX to use anything but the default options there. However since that hangout was made I also think OSX may have stepped up the encryption levels it uses by default... so maybe a bit of both in play here. I know at the time we chose those settings as the only thing that would work with everything. Try setting it to the values in the hangout to make sure it connects and it is a encryption settings issue. If so look at deploying via a profile. Steve

You might be able to do this by making use of the option: Skip rules when gateway is down. That's a setting in System > Advanced > Misc. It applies globally so you would have to be careful. With that set use two rules on the LAN to pass traffic. The first via the main gateway. The second via the LTE gateway with limiters set. If the main gateway goes down that rule will not be applied and traffic will hit the second rule. Add copious notes because that would be an unusual setup, highly likely to confuse anyone who sees it later. Steve

@stephenw10 Oh, I have got the impression that it is also related to older versions. Thank you.

@stephenw10 Turned out to be a gateway issue. Had a little trouble getting the gateway off one adapter and onto another. Wanted to create a new duplicate gateway if changes were made in the wrong order. So took a couple runs through restoring the desired config then modifying the adapter ip/gw, deleting an associated vlan, disabling monitor action, and reassigning the gateway to get update working. Confirmed in backup router that "pkg -d updates" produces the same results as the in-service router. Left the packages behind but they can be manually reinstalled easy enough. Now golden. Thanks so much Stephen for your assistance. Much appreciated.

The Three Data Reward SIM is PAYG but you get 200MB per month free so it effectively costs me nothing until I need to use it when I then have to add credit. It's more expensive at that point especially if I have to use it quite a lot and much less convenient, requires manual intervention. But... hard to argue with free. Steve

It depends how they are being 'detected'. If they are entered into hosts by IP, the best way IMO, they should always be visible. If they dependent on some broadcast domain style detection protocol then you would need something to proxy/bridge that between subnet. So Avahi for mDNS or IGMPproxy / PIMD for SSDP. If they seen by your DC you may not need any of that of course. Steve

Good luck. Though you should be good. As I say the biggest risk there is that you pull in a bunch of changes that may have been added and were not yet in effect. If rules there do not change often then that may not apply. Steve

Good to hear to got access at least. That sort of situation can be inconvenient. There is no off-line upgrade option currently. You can upgrade from the console menu as long as you have a functioning WAN. You might consider switching to a full HA setup if you can get enough WAN IPs. Steve

@stephenw10 Awesome, much thanks Steve!

Yes choose option 1 at the console menu and re-assign the interfaces as required onto the new NIC. You will have to recreate the VLANs there though so they are also assignable if you have those interfaces in place already. Steve